The Obama Administration unveiled its blueprint for moving quickly to provide …

Saying "American consumers can't wait any longer" for better privacy rules, President Obama took the wraps off his administration's framework for new privacy regulations. As part of its big reveal, the White House also announced the first product of that framework: the completion of an industry agreement on "Do Not Track" technology for behavior-based web advertising.

The blueprint, outlined in an administration white paper, includes a "Consumer Privacy Bill of Rights"—a set of principles intended to guide how businesses handle consumers' personal information—and steps to incorporate those principles into federal regulations. The blueprint includes negotiating a set of practices with industry, consumer protection and privacy advocates, plus other "stakeholders" in privacy policy. The practices will then be enforceable by the Federal Trade Commission.

The "Do Not Track" agreement is a first step toward that model. Signed by a group of web advertising networks and "leading Internet companies," including Google, Yahoo, Microsoft, and AOL, the agreement will lead to the adoption of Do Not Track features integrated into web browsers. This will allow consumers to opt out of behavior-based marketing, blocking advertiser's tracking "cookies" and preventing other types of cross-site tracking of behavioral information. The companies signing off on the agreement account for delivery of nearly 90 percent of behavior-based advertisement, according to White House figures. The companies entered into the agreement voluntarily, but now are subject to the Federal Trade Commission's oversight and enforcement of its terms.

FTC chairman Jon Leibowitz said of the agreement in a statement: “It’s great to see that companies are stepping up to our challenge to protect privacy so consumers have greater choice and control over how they are tracked online. More needs to be done, but the work they have done so far is very encouraging.”

The Consumer Privacy Bill of Rights' seven principles, as outlined in the administration's blueprint, are:

Individual Control: Consumers have a right to exercise control over
what personal data organizations collect from them and how they use it.

Transparency: Consumers have a right to easily understandable information about privacy and security practices.

Respect for Context: Consumers have a right to expect that
organizations will collect, use, and disclose personal data in ways that
are consistent with the context in which consumers provide the data.

Security: Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability: Consumers have a right to have personal data
handled by companies with appropriate measures in place to assure they
adhere to the Consumer Privacy Bill of Rights.

In part, the administration's efforts are meant to help bring US privacy regulations into closer alignment with those of the European Union and other trading partners. Representatives from the EU and other "international partners" are expected to participate in discussions of how to incorporate the principles into practice alongside other "stakeholders." The administration also intends to pursue legislation to extend baseline privacy protection to business sectors not currently covered by federal privacy laws.

40 Reader Comments

Hopefully they'll walk the walk. As much as I don't want overregulation in this area, I think there should be a decent set of standards when companies collect personal information (or even just basic things like passwords). At the very least, there needs to be severe punishment for companies that leave data in plaintext in their databases instead of encrypting it in SOME fashion.

Now instead of serving the ad that you're most likely to click, they're going to start serving all the ads. Then everyone going to start using ad block. And then they're going to figure out how to prevent ad block from blocking ads.

Most of the companies that do track,actually make the web browser a party of their business,because they will keep your information for years,if not for several years. And it is the business doing so,not the browser at the screen/page,that has its relationship in those legal attributes . (think sarbanes oxley). Might be a small thing,but even as you are unaware of it,they will keep your activities anonymized or not,for many years. What is most contempuous,is that they do this,by their own 'self-regulation',and perhaps up until presently,nobody is/was aware they have given themselves right to do this.

So if you had several favorite sites that were vistited,over a given interval,these tracks',are here for years.

The problem is this will make 'lists of FTC participants. That will then continue to encapsulate terms for political,and regulation.

Why don't they just keep up with 'Web Standards'.

A single session of about 4 hours on the web can create more than 500 listings.

This is all just fluff from the White House unless Congress actually goes and passes a law to give the FTC power to enforce this.

Even if they do, it's still a waste of time. The entertainment industry has spent several years and god only knows how much time/money trying to stop Joe Sixpack from sharing the latest Snoop Dogg album. What makes you think Joe Sixpack has a chance in hell of preventing these large companies from sharing his phone number, laws or no laws?

The internet is an avenue for information/content sharing, and for better or worse, NOBODY is in control over what gets shared, nor will they ever be. Once it is 'out there', it's pretty much public property.

That being said, the main reason these commercial bastards want your information in the first place is so they can target you with ads, and anybody with common sense is already using adblock anyway. For more 'direct marketing', what congress SHOULD be doing is setting up global 'OPT IN' lists for direct marketing and making it against the law to harass people not on this list in ANY capacity, then these companies won't have a reason to track you anymore.

And how will the FTC track this? Do they suddenly have the resources to do this? And how will they enforce this? Will they be able to levy fines? Will they be able to force these companies to stop serving scripts or saving certain data? If companies like Google are found to be collecting data for users that opt-out, and the FTC finds them in violation of the agreement, will Google just opt-out of the agreement?

I'll be more impressed when I see a "Universal Privacy Bill of Rights" as opposed to a "Consumer" one. I'm less concerned about AOL, Google, and Facebook all selling each other the knowledge that I like gaming and science, and more concerned about how agencies ranging from local police up to the NSA may or may not be intercepting and scanning every bit you and I transmit or receive, may or may not be storing all that information in comprehensive profiles of us "just in case", and may or may not ever bother to check if it's legal.

The entertainment industry has spent several years and god only knows how much time/money trying to stop Joe Sixpack from sharing the latest Snoop Dogg album.

I think the comparison is significant. The RIAA claim they own the content that you're listening to, and they only licensed you to use under certain conditions. I think I own my name and contact information and anything else about me as an individual. I am quite happy to license its use to companies under certain conditions. But it's still my information, not theirs, and there are restrictions on how it's used, including most especially a prohibition on reselling it.

Now instead of serving the ad that you're most likely to click, they're going to start serving all the ads. Then everyone going to start using ad block. And then they're going to figure out how to prevent ad block from blocking ads.

Not to mention websites can completely ignore Do Not Track.

It's basically an arms race. Always has been and always will be. Mind you, my current setup has prevented ads from being shown to me for the last few years so far - the corporations are losing

Being on Facebook is considered a constitutional right? Maybe instead of a bill, the government can just spend $100mil on brochures to inform stupid people how to protect their privacy. Let's think of better ways to waste money!

I'm pleasantly Surprised that Obama is addressing this. I think one clarion omission would be the right to receive a copy of everything an ad network has one you (a right to oversight). Another would be the right to revoke permission and force the ad networks to delete all data on you (a right to be forgotten as it were). Oh, and a prohibition on selling the data to another network.

Obama and I don't agree on much. I hope he carries through on this by giving the FTC a little muscle to enforce this.

Bravo to *all* of you, especially those who've asked for meaningful punishment (motivation to comply), coverage of *all* entities (not necessarily those not bearing simply just commercial interest, and _including_ the government), and, if a human so requests, *immediate* purge of all records now nefariously gathered. Like many of you've implied, I've looked in the mirror and noticed that I'm not blue from having held my breath.

This is all just fluff from the White House unless Congress actually goes and passes a law to give the FTC power to enforce this.

Exactly what I was thinking. More politicking from Obama who is seeking re-election votes from "consumers." Sorry brov, you sold me out to your corporate backers - I'm not falling for your bullshit.

And this:

worknman wrote:

For more 'direct marketing', what congress SHOULD be doing is setting up global 'OPT IN' lists for direct marketing and making it against the law to harass people not on this list in ANY capacity, then these companies won't have a reason to track you anymore.

If this were to be instituted, this would require a lot more goodwill from companies. More companies would have to engage in efforts like Google has such as Google Voice being a free service. I give Google a lot of leeway just because they do offer a lot of incentives to be loved. If all advertising services were to work this way, imagine the amount of offers that would be available to "consumers" just to obtain their consent? Opt-In would surely give the average person leverage over what they want to share, with whom, duration of agreement, and for what they get in return.. That's a far cry better than the current money grab machines.

Being on Facebook is considered a constitutional right? Maybe instead of a bill, the government can just spend $100mil on brochures to inform stupid people how to protect their privacy. Let's think of better ways to waste money!

blah, blah, right to privacy...past actions show he doesn't believe that. My guess is that while they won't use cookies, they'll just start building in something like behavioral prediction mechanisms to get the same effect.

Maybe the Obama Administration should first start caring about the original Bill of Rights.

Exactly. It's tough when you have to keep enforcing the awful laws of the previous administration.

I'm curious to see how websites respond. It's a shame people focus on advertising, which is is probably the most meaningless and stupid thing to worry about for tracking. So yahoo will serve me a loan ad because I've visited articles on mortgages and home improvement? Big deal. Now I'll just see ads for old people shit and teeny bopper albums in the mix, which will make life more annoying.

And then in terms of standard sites you visit, I don't see the point of blocking those either. We use that data to make the site a better experience by either bringing things to the forefront that people have to go around looking for yet are still popular, or decommissioning wastes of space that make the experience worse. Plus you'd lose the ability to have your next visit tailored to what you normally do vs having to re-do all of it all over again.

And finally, anyone who enables do-not-track, I'd ask how weird it is to buy groceries or medicine while wearing a mask and using fake identification. Because people that work there or even stand in line with you know a lot more about you than any website ever will.

Respect for Context: Consumers have a right to expect that organizations will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.

All within the policy

Quote:

Security: Consumers have a right to secure and responsible handling of personal data.

in policy

Quote:

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data are inaccurate.

It's basically an arms race. Always has been and always will be. Mind you, my current setup has prevented ads from being shown to me for the last few years so far - the corporations are losing

They are winning I'd say. People like you and me are statistical noise in the grand scheme of things. I try to help people out by setting them up with an adblocker, but the first time they try to play some online game and it doesn't work, they will turn it off and leave it off. The rabble really doesn't care.

This is a farce. The government wants to be able to dig up records of activity from anywhere folks roam, be it marketing data, torrent feeds, etc. This "do not track" will be some superficial BS that sounds good, but deep down will be non-existent.

Self-regulation won't be enough. This is a good first step, but will prove to be insufficient without congressional legislation and an actual enforcement mechanism as has been called for in the EU, http://jolt.richmond.edu/v18i1/article2.pdf

I come to Ars because of it's high quality stories and also because of the thoughtful point/counter-point of it's readers. You commenters are the gold standard compared to most forums I've seen. I often learn as much from the the comments as from the article. Not to lecture but please don't devolve to the political flaming common to other forums.

First and foremost - this is bullshit - It Should Be OPT OUT - period.

And also - are we going to have to be opting out every 5 seconds as we jump from one M$ or Google service to another ? Or does the one time opt out apply across all of their services ?

MonkeyT wrote:

Do these "organizations" include the government?

No! The Government is always exempt from things like this. Just llok at the Do NOt Call Nat'l Registry. Anyone running for election or that has a political agenda around an election can bother you all day long as much as they fel like it. ICE is not going to have to adhere to this - are you kidding ?

I just don't think this is enough... Opt-in-only and a ban on info-selling would be a good beginning, but that's a pipe-dream. There's too much money in tracking consumers at this point.

I use AdBlock Plus and Ghostery add-ons, and SUPERantispyware software that cleans out the cookies nightly, and I'm always on the lookout for some other way to keep off Marketing's radar -- always aware that there's a good chance I don't know what I'm doing and it's all a waste of time. Can we really pro-actively protect ourselves? These guys are good at what they do.

Of course those companies are playing along. They know well that government has set its mind (figuratively) on some privacy regulations, the companies are just trying to soften the blow and not get in the crosshair of the overlords. It doesn't matter that those regulations are silly and wasteful, there is no stopping government "brightest ideas".

I think websites should show a black page when they receive a DNT flag. If the user doesn't want to be tracked, but the service is ad-funded, then simply don't let the user in. If some sites want to offer a no tracking option to users, great too. But they shouldn't be forced to offer their service at a discount.For politicians to say user should have the cake and it eat too is simply childish (but I repeat myself).

I think websites should show a black page when they receive a DNT flag. If the user doesn't want to be tracked, but the service is ad-funded, then simply don't let the user in. If some sites want to offer a no tracking option to users, great too. But they shouldn't be forced to offer their service at a discount.For politicians to say user should have the cake and it eat too is simply childish (but I repeat myself).

Does anyone else here see the parallel between regulation of online privacy and price controls?

Generally, we let people choose products they want, based on benefits and costs. That includes visible costs (big bucks for an iPad) and less visible ones (locked OS or carrier). We also let entrepreneurs determine what features should be produced and at what price. That works because of competition.

Here government is telling entrepreneurs which features they can or cannot build, and what costs are acceptable or not to the users. As any price control, this will have adverse effects.

Having some of your online behaviors tracked is undoubtedly a cost to users, but trying to control that cost down beyond what users actually want will make the internet a poorer place. Services cannot target as well, revenues fall, new services aren't as quick to appear. Overall, supply will simply fall.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.